Anatomy of a DNS Amplification DDoS attack

Today we had to investigate a sudden spike in outbound internet traffic on a small business' network. The symptoms reported were a sudden slowness browsing the internet from machines connected to the SMB's LAN.

A quick peek on a network usage graph revealed a sudden increase in outbound traffic, see the blue line while the inbound traffic volume was relatively low (green area):

A quick peek at the incoming and outgoing traffic revealed a unusual number of inbound DNS queries, for a domain (cpsc.gov) that is not hosted on the affected premises. This screenshot shows some of the queries, all coming from the same IP address. Note the size of the incoming request, approx. 79 bytes.

A quick look at the outbound traffic indicated that the DNS server was actually answering all these requests, with rather large responses. Note the size of the responses to each request, 3 fragmented packets, for a total of approx. 4KBs.

Obviously the DNS server shouldn't have allowed recursion to an internet based host. Still, to fully understand what was happening I had a closer look at the incoming request. It revealed that the DNS query type was of "ANY" type, something pretty unusual for a typical client application:

The response was accordingly large, approx. 4KB in size:

Well, what was happening is that somebody was conducting a DNS amplification DDoS attack. In a nutshell, the attacker was capable of generating approx. 4KB of traffic for every 79 bytes of inbound traffic using packets with a spoofed source IP address. An amplification factor of approx. 50 times the original traffic, not too bad...

One of the key measures to prevent this type of vulnerability make sure that the DNS servers of your organization are configured in such a way to not allow recursion from unathorized internet based clients.